Storage subsystem, storage system, and communication control method

ABSTRACT

In a storage subsystem which is connected to an IP network, by excluding an improper packet, security is heightened, and a performance of communication to a logical unit of a storage subsystem is maintained and secured. In the storage subsystem according to one embodiment, a function which carries out filtering of a packet other than an iSCSI packet is provided. With respect to only the packet passed through the function, its accessibility to the logical unit is filtered. Also, traffic of all received packets, and traffic of each packet sorted out by the two filtering functions are measured, and a traffic log of a packet judged to be discarded by the above filtering is recorded. By using this information, controlling such as a cut-off process of improper communication, QoS securement for normal communication and so on, are carried out.

BACKGROUND OF THE INVENTION

The present invention relates to communication between a host computerand a storage subsystem. In particular, it relates to a filteringtechnology and a communication cut off technology in communication atthe time of an access from the host computer to a logical unit in thestorage subsystem.

In a storage system in which one or more host computers and one or morestorage subsystems were connected by a network, there is a securitytechnology which prevents an unauthorized access on the occasion ofaccessing from a host computer to a logical unit LU (Logical Unit) in astorage subsystem. As an example, in an environment where an accessiblelogical unit is restricted with respect to each host computer, cut offof a unauthorized access is realized by having a filtering function in astorage subsystem, which judges right and wrong of an access of receivedinformation by information regarding a host computer as a source.

For example, a storage system which is disclosed in Japanese PatentLaid-Open Publication No. 2000-265655 (hereinafter, referred to asPatent Document 1) comprises, on a nonvolatile memory in a storagesubsystem, in addition to a LUN access management table which manages aWWN (World Wide Name) as information which uniquely identifies a hostcomputer, a LUN (logical Unit Number) as a number of a logical unit in astorage subsystem which permitted an access from the host computer, anda virtual LUN as a number of a virtual LU that a user or an operatingsystem on the host computer arbitrarily assigned in parallel with theLUN, by associating them one another. In such communication that thehost computer accesses to the storage subsystem, the storage systemfurther comprises a WWN-S-ID management table which manages a S-ID(Source ID) as a management number which is dynamically assigned at thetime of log-in and which is always constant during the host computer isin operation, and the WWN of the host computer, by associating them eachother.

In the storage system disclosed in Patent Document 1, with reference tothese two management tables, right and wrong of an access to a logicalunit is judged at the time point of generation of an inquiry command atthe time of log-in. After that, there is no necessity to repeat thisjudgment. On this account, it is possible to limit right and wrong of anaccess with each of a logical unit, over maintaining and operating astorage subsystem with high performance, which realizes strong security.

In this regard, however, the storage system disclosed in Patent Document1 is a system which was built up by a dedicated network, such as a SAN(Storage Area Network) in which a host computer and a storage subsystemare connected to be networked by using a dedicated interface called asFiber Channel (FC). Therefore, it is a premise that only a SCSI command,which is a command set for an access from a host computer to a storagesubsystem, is transmitted to a storage subsystem.

On the other hand, in these years, a standard specification of iSCSI,which is a protocol for transmitting and receiving a SCSI command on anIP network, has been studied by a standards body, IETF.

In an iSCSI, transmission and reception of a command are carried out, bystoring (encapsulating) an SCSI command etc. in a transfer frame of aTCP packet which is stored in a payload of an IP packet and by streamingit on an IP network, which realizes an I/O process between a hostcomputer and a storage subsystem.

By using an iSCSI, it is possible to connect not only a host computerbut also a storage subsystem directly to an IP network. A hub, a router,a switch type etc. which have been used in an IP network conventionallyand configure a network can be used without change.

Therefore, by using an IP network, it is possible to easily respond towidening of a storage subsystem access which was difficult to berealized from such technical aspects as cost aspect and communicationdistance limit. It is also possible to apply a matured IP networkmanagement technology without change, so that simplification ofmanagement can be expected.

SUMMARY OF THE INVENTION

However, in the above-described iSCSI, there are merits as describedabove, but on the other hand, demerits exist.

On an IP network, a variety of communication packets are transmitted andreceived. On this account, as compared with a conventional case in whicha host computer and a storage subsystem are connected by an FC networkas a dedicated network, there is such an aspect that it is not possibleto foresee a traffic communication performance and so on.

Also, since all the world is surrounded by an IP network, there is apossibility that an ill-willed user goes on a communication attack on astorage subsystem etc. connected to an IP network for the purpose ofsystem-down, falsification of data, theft and so on, and it has weaknessin a security aspect.

A filtering function disclosed in Patent Document 1 lets through only apacket which is permitted to access to any logical unit in a storagesubsystem. On this account, a packet which is not basically permitted toaccess does not reach to a logical unit.

However, as described above, the filtering function of Patent Document 1is predicated on such a network that there exists only a packet for anaccess to a storage subsystem, and it is not a structure with awarenessof such an environment that an unexpected packet is transmitted as in anIP network.

Also, in the technology disclosed in Patent Document 1, a packet judgedto be not permitted to access (hereinafter, referred to as improperpacket) is not processed and simply discarded.

For example, as an improper packet, it can be a packet from a hostcomputer which is not permitted to access to that storage subsystem, anunexpected packet from an unknown device which is not primarilypermitted to access to a storage subsystem itself, and so on. However,in the technology disclosed in Patent Document 1, it is not possible todetermine even a type and a source of these improper packets.

In an environment which is connected to such a communication line that apacket other than a packet for an access to a storage subsystem in an IPnetwork etc. is transmitted and received, there is a high possibilitythat, particularly in packet from an unknown device, an ill-willedpacket which is intended for a communication attack is included.However, in the technology disclosed in Patent Document 1, a positivedefensive measure to such communication attack is not considered.

The present invention is made of taking such situation intoconsideration. It is an object to heighten security, in a storagesubsystem which is connected to a communication line, and to secure anetwork QoS to a storage subsystem.

In order to achieve the above-described object, a storage subsystem ofthe present invention comprises filtering means which has only a properpacket passed through to a logical unit of a storage subsystem, out ofpackets received from a network at the time of session establishment. Onthat occasion, header information etc. of a packet to be discarded isalerted to a management server. The management server received the alertcontrols communication on a network, by utilizing the header informationetc.

For example, the present invention provides a storage subsystem which isconnected to a host computer through a communication line, comprising aninterface used for connecting to the communication line, and wherein,

-   -   the interface comprises a first filtering means which judges        whether a packet, out of the communication packets, is a        communication packet with a predetermined format for use in an        access to the storage subsystem or not, when the communication        packet is received from the communication line.

Also, the storage subsystem comprises a communication failure judgingmeans which measures traffic of all communication packets received inthe interface, and traffic of communication packets judged to be nocommunication packet of the above-described format in the firstfiltering means, respectively, and which judges whether a communicationfailure is generated or not, by using both traffic. The storagesubsystem further comprises a communication failure alerting means whichalerts a management server connected to the storage subsystem andcomprises a function for displaying alerted information, in case that itis judged that a communication failure is generated. The managementserver comprises source searching means which refers to a traffic log,and searches a source of the communication packet which has thecommunication failure generated, in case that it was alerted from thecommunication failure alerting means that the communication failure isgenerated, and relay device control means which controls a relay devicewhich relays communication to a storage subsystem disposed on thecommunication line so as to cut off communication from the source, basedon the information of the source searched by the source searching means.

According to the present invention, it is possible to heighten securityin a storage subsystem connected to a communication line. Further, it ispossible to secure a network QoS to a storage subsystem.

BRIEF DESCRIPTIONS OF THE INVENTION

FIG. 1 is a view for illustrating an iSCSI packet of an embodiment ofthe present invention.

FIG. 2 is a functional configuration view of a storage system of anembodiment of the present invention.

FIG. 3 is a view for illustrating an LU access permission table of anembodiment of the present invention.

FIG. 4 is a view for illustrating a communication failure judgingthreshold table of an embodiment of the present invention.

FIG. 5 is a view for illustrating a traffic log of an embodiment of thepresent invention.

FIG. 6 is a view for illustrating a flow of processes when a storagesubsystem received a packet.

FIG. 7 is a process flow in case that an improper packet was received,in a storage system of an embodiment of the present invention.

FIG. 8 is a process flow of a performance decrement preventing processin a management server of an embodiment of the present invention.

FIG. 9 is a process flow of a QoS control process in the managementserver of an embodiment of the present invention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

Hereinafter, one embodiment of the present invention will be describedby using the drawings.

In an embodiment of the present invention, a case using iSCSI forcommunication between a storage subsystem and a host computer, in astorage system having one or more host computers and one or more storagesubsystems, will be described as an example. That is, in thisembodiment, as a protocol which is used between both of them, a protocolof a network layer is an IP (Internet Protocol), and a protocol of atransport layer is a TCP/IP which is a TCP (Transmission ControlProtocol), and as a command set which carries out control of a storagesubsystem, an SCSI command is used. The SCSI command is encapsulated ina packet which is exchanged on the TCP/IP, and then, transmitted andreceived.

As a matter of course, the present invention is not limited to theabove-described protocols and command set. If the configuration is thatthe command set for accessing a storage subsystem from a host computeris implemented on a protocol used in a network, the format of theprotocol and the command set are not asked.

FIG. 1 shows a configuration of the iSCSI and basic concept of a packetwhich is transmitted and received, which are the premise of the presentinvention. In this figure, 100 designates a storage subsystem, 200designates a host computer, and 300 designates an IP network whichconnects between the storage subsystem 100 and the host computer 200.Also, in this embodiment, out of IP packets transmitted and received onthe IP network, an IP packet which stored an SCSI command, an SCSIresponse etc. in a TCP packet stored in a payload of an IP packet, isreferred to as iSCSI packet 310.

In an iSCSI protocol, a source of an SCSI command 311 is referred to asiSCSI initiator, and a side which processes a received command andreturns a response 312 to the SCSI command 311 is referred to as iSCSItarget. Therefore, in this figure, the host computer 200 is the iSCSIinitiator, and the storage subsystem 100 is the iSCSI target.

In a hierarchical model of iSCSI, an iSCSI layer is located between anSCSI layer and a TCP/IP layer which exchange the SCSI command. The iSCSIlayer receives the SCSI command etc. from the SCSI layer, encapsulatesit to prepare an SCSI PDU (Protocol Data Unit), and transfers it to theTCP/IP layer. Also, it processes an iSCSI PDU received from the TCP/IPlayer, pulls out the SCSI command etc., and transfers it to the SCSIlayer.

A communication data configuration of a part below the TCP/IP layer ofthe iSCSI packet 310 is the same as a commonly used TCP/IP packetconfiguration. The iSCSI packet 310 is transmitted and received as anormal TCP/IP packet on the IP network 300, until it processes theencapsulated SCSI command.

In addition, a header of the iSCSI packet 310 includes information whichshows that the iSCSI command is encapsulated in the packet. On thisaccount, at the side of the iSCSI target received the iSCSI packet, itis possible to judge whether the packet is the iSCSI packet 310, byconfirming header information, without carrying out a process forpulling out the iSCSI command in the TCP/IP layer.

Also, in case of iSCSI, in the iSCSI layer, a session as a logicalcommunication path is built up between the iSCSI initiator 200 and theiSCSI target 100, and then, communication is carried out. The session isbuilt up after authentication is obtained, in the same manner as acommonly used procedure of building up a connection in a TCP layer. Aprocedure for obtaining authentication is referred to as iSCSI log-in iniSCSI. In this embodiment, before a session is built up, i.e., prior tothe iSCSI log-in, each of all IP packets is filtered as to whether it isthe iSCSI packet or not, and if it is the iSCSI packet, a session isbuilt up. After the session is built up, filtering of packets is notcarried out, relying on that authentication.

In addition, these methods of building up a session and of log-in arethe same specification as one between the storage subsystem 100 and thehost computer 200 connected by a conventional FC network (see, PatentDocument 1). Therefore, when viewed from the SCSI layer, there is nodifference due to a type of a subordinate hierarchy, i.e., a type of anetwork by using TCP/IP and FC.

Also, in Patent Document 1, in order to uniquely specify the hostcomputer 200, data conversion which specifies a WWN from a S-ID of an FCframe header is carried out. In iSCSI, in order to specify the hostcomputer 200 at the time of building up a session, an iSCSI name as adomain concept utilized conventionally in the IP network 300 is used.The iSCSI name is included in header information of the iSCSI packet.

From the foregoing, in a network connection of the storage subsystem 100and the host computer 200 by using iSCSI means, what was configured inan FC network so far is simply replaced by the IP network 300, and thereis no difference at all in an access specification to a storagesubsystem.

Next, a storage system of the embodiment of the present invention willbe described. FIG. 2 is a functional configuration view of the storagesystem of this embodiment.

As shown in this figure, the storage system of this embodiment has oneor more host computers 200, one or more storage subsystems 100, amanagement server 400, and the IP network 300.

The IP network 300 is a network which utilizes a TCP/IP as acommunication protocol, and all the world is at present surrounded bythat, as represented by Internet, and it is a network environment towhich various information devices are connected. The storage subsystem100, the host computer 200 and the management server 400 are connectedby this IP network 300. The iSCSI packet is exchanged through the IPnetwork 300, in the same manner as other IP packets.

Here, in this embodiment, as the IP network 300, a configuration whichis connected as a star arrangement by a router or switch 320 will bedescribed as an example. However, a network configuration is not limitedto this. It is fine if a router or switch 320 is located between thestorage subsystem 100 and the host computer 200.

The storage subsystem 100 comprises a storage interface 110 whichreceives IP packets from outside of the storage subsystem 100, a logicalunit (LU) 130 as a storage area, a storage area control device 131 whichreceives an I/O instruction to control the logical unit 130, amaintenance terminal 150 which maintains the storage subsystem 100, acommunication control unit 161 which communicates information at theside of the storage subsystem 100 to the maintenance terminal 150, and acache memory 162 which realizes speeding up an I/O process etc.

Here, the storage interface 110 comprises, as a hardware configuration,a control processor 111 which controls entire operations, a controlmemory 112 which stores a program that the control processor 111executes, a nonvolatile memory 113 which stores data even when thecontrol processor 111 is stopped, and a port 114 which is an I/F with anexternal network.

The control processor 111 realizes each function of an IP level filterunit 115, an LU level filter unit 116, a traffic measuring and judgingunit 117, communication information and failure alerting unit 118, andan iSCSI off-road engine 119, by executing the program stored in thecontrol memory 112.

The nonvolatile memory 113 stores an LU access permission table 121 usedwhen the above-described program is executed, and a communicationfailure judging threshold table 122.

The IP level filter unit 115 filters IP packets before a session isbuilt up. Concretely, the IP level filter unit 115 refers to headerinformation of all IP packets received at the port 114 before a sessionis built up, depending upon whether information which shows that it isthe iSCSI packet is stored or not, and judges whether the IP packet isthe iSCSI packet or not.

In case that the IP packet is judged to be the iSCSI packet, it is sentout to the LU level filter unit 116, and in case that the IP packet isanother IP packet (hereinafter, referred to as non-iSCSI packet) is sentout to the communication information and failure alerting unit 118through the traffic measuring and judging unit 117.

The LU level filter unit 116 filters the received iSCSI packet.Concretely, the LU level filter unit 116 judges whether the receivediSCSI packet is accessible to the logical unit 130 or not with referenceto the LU access permission table 121 which will be described later,based on an iSCSI name of an iSCSI packet received at the time of iSCSIlog-in. In addition, after that, during the log-in is valid, check ofaccessibility of the iSCSI packet having the iSCSI name to the logicalunit 130 is not carried out.

The accessible iSCSI packet (hereinafter, referred to as permitted iSCSIpacket) is sent out to the iSCSI off-road engine 119 through the trafficmeasuring and judging unit 117. An iSCSI packet which does not haveaccess permission (hereinafter, referred to as unpermitted iSCSI packet)is sent out to the communication information and failure alerting unit118 through the traffic measuring and judging unit 117.

Here, the LU access permission table 121 will be described. The LUaccess permission table 121 stores the logical units 130 permitted toaccess, by associating with each host computer. FIG. 3 shows one exampleof the LU access permission table 121.

As shown in this figure, the LU access permission table 121 has an iSCSIname 1211 which uniquely specifies the host computer 200, a virtuallogical unit number (virtual LUN) 1212 that a user and an operatingsystem on the host computer 200 arbitrarily assigned to the logical unit1130, and a logical unit number (LUN) 1213 which uniquely specifies thelogical unit 130 on the storage subsystem 100 corresponding to thevirtual LUN 1212. This LU access permission table 121 is set up inadvance by an administrator etc. from the management server 400 etc.

If the same iSCSI name as the iSCSI name stored in a header of the iSCSIpacket that the LU level filter unit 116 received, is stored in theiSCSI name 1211 of the LU access permission table 121, and the virtualLUN 1212 and the LUN 1213 which correspond to that are stored, it meansthat an access is permitted. In addition, since a method of judgingaccessibility in the LU level filter unit 116 is the same as the methodof Patent Document 1, its explanation will be omitted here.

The traffic measuring and judging unit 117 receives three types ofpackets (permitted iSCSI packet, unpermitted iSCSI packet, non-iSCSIpacket) classified by two filtering means of the IP level filter unit115 and the LU level filter unit 116, and measures each traffic per unitof time, respectively. After that, in accordance with a type of thereceived packet, the traffic measuring and judging unit 117 sends it outto the communication information and failure alerting unit 118, or theiSCSI off-road engine 119. Also, by using a measurement result per unitof time, in accordance with the communication failure judging thresholdtable 122, presence and absence of the communication failure generationare judged.

Here, the communication failure judging threshold table 122 is a tablein which the thresholds and criteria of judgment are stored with respectto each judging object. FIG. 4 shows one example of the communicationfailure judging threshold table 122.

The communication failure judging threshold table 122 of this embodimenthas a judging object communication ratio storing column 122 a whichstores a content of a judging object communication ratio, and athreshold storing column 122 b which stores criteria of judgment as wellas thresholds by which it is judged to be a communication failure.

In this embodiment, as the judging object communication ratio, forexample, a ratio 1221 that traffic of the non-iSCCI packet per unit oftime takes up to traffic of all packets received in the storageinterface 110 per unit of time (hereinafter, referred to as non-iSCSIpacket ratio), a ratio 1222 that traffic of the unpermitted iSCSI packetper unit of time takes up to traffic of all iSCSI packets classified inthe IP level filter unit 115 per unit of time (hereinafter, referred toas unpermitted iSCSI packet ratio), and a ratio 1223 that traffic of thepermitted iSCSI packet per unit of time takes up to traffic of allpackets received in the storage interface 110 per unit of time(hereinafter, referred to as permitted iSCSI packet ratio), and so on.

In addition, the examples of the communication failure to be judged fromrespective ratios are following. In case from the non-iSCSI packetratio, the communication failure is cased by a communication attack ofan improper packet. In case from the unpermitted iSCSI packet ratio, thecommunication failure is cased by that the host computer 200 which fellin such a state that it does not already have a right of an access tothe storage subsystem 100, continues to access without change, for anyreason. And in case from the permitted iSCSI packet ratio, thecommunication failure is cased by that a network QoS is not appropriate.In the threshold storing column 122 b, stored are values and criteria bywhich it is possible to judge generations of these communicationfailures.

In this embodiment, the traffic measuring and judging unit 117 judges asa communication failure, in case that a value of a communication ratiowhich is obtained from respective measurement results satisfiesconditions stored in the threshold storing column 122 b, and alerts thecommunication information and failure alerting unit 118, that thecommunication failure is generated, a type of a communication ratio bywhich it is judged that the communication failure is generated (failuretype: non-iSCSI packet ratio, the unpermitted packet ratio, or thepermitted iSCSI packet ratio etc.), a value of a communication ratiowhen it is judged that the communication failure is generated, timeinformation (failure time) per unit of time when traffic is measured, bywhich it is judged that the communication failure is generated, andcommunication information of a packet when it is judged that thecommunication failure is generated. Here, the communication informationto be notified will be described in a traffic log 158 which will bedescribed later.

For example, when traffic of all packets is 150 KByte/s, if traffic ofthe non-iSCSI packet is 100 KByte/s, a value of the non-iSCSI packetratio 1221 of the communication failure judging threshold table 122becomes 66%, and corresponds to “50% and more” which is stored in thethreshold storing unit 122 b. In the suchlike case, the trafficmeasuring and judging unit 117 judges that communication with such levelthat a problem occurs in normal communication of iSCSI packet reaches tothe storage subsystem 100, i.e., that failure is generated.

In addition, the judging object communication ratio shown in this figureis one example, and it is possible to use, as a judging object, variouscommunication ratios obtained by using arbitrary traffic measured frominformation regarding three packets classified by the two filteringmeans of the IP level filter unit 115 and the LU level filter unit 116.

The communication information and failure alerting unit 118 transmits,to the maintenance terminal 150, packets received from the two filterunits of the IP level filter unit 115 and the LU level filter unit 116through the traffic measuring and judging unit 117, and informationreceived in case that it is judged as a communication failure in thetraffic measuring and judging unit 117.

The iSCSI off-road engine 119 applies processing as the iSCSI target, tothe permitted iSCSI packets received through the IP level filter unit115 and the LU level filter unit 116, pulls out the SCSI command, andtransmits it to the logical unit 130 designated as a destination oftransmission.

In addition, a program realizes the above-described function may bestored in a recording medium (flexible disk, CD-ROM, DVD-ROM,semiconductor memory, transmission path such as LAN and SAN etc., and soon) which can be read by the control processor 111, but not in thecontrol memory 112. Also, the function of the program may be realized bya hardware configuration (semiconductor integrated circuit such as LSI(large Scale Integration) etc.).

The maintenance terminal 150 comprises, as a hardware configuration, acontrol processor 151 which controls entire operations of themaintenance terminal 150, a control memory 152 which stores a programthat the control processor 151 executes, a maintenance terminal storagearea 153 which stores and keeps data, an interface 154 with an externalnetwork, and an interface 155 with a main body of the storage subsystem100.

The control processor 151 realizes each function of a communicationinformation recording unit 156 and a warning message reporting unit 157,by executing the program stored in the control memory 152.

In the maintenance terminal storage area 153, a traffic log 158 isrecorded and saved.

The communication information recording unit 156 records communicationinformation of a packet sent from the communication information andfailure alerting unit 118, in the maintenance terminal storage area 153,as the traffic log 158.

Here, information recorded in the traffic log 158 will be described.FIG. 5 shows one example of the traffic log 158 in this embodiment.

Communication information of a packet to be recorded is, for example, asshown in this figure, a date 1581 when the communication information isrecorded, a type 1582 of a protocol of a packet of the above-mentionedcommunication, an IP address and a use port number 1583 of a source oftransmission, an IP address and a use port number 1584 of a destinationof transmission, and so on.

In addition, the traffic log shown here is one example, and if thefollowing information is included above described information atminimum, presence and absence of its recording format, and otherinformation are not asked.

The warning message reporting unit 157 generates a warning message, byusing an alert that a communication failure is generated, sent from thecommunication information and failure alerting unit 118, a failure type,a value of a communication ratio, and information of failure time, bycombining with a text message prepared in advance with respect to eachfailure type, and reports it to the management server 400.

In addition, a program which realizes these functions may be stored in arecording medium which can be read by the control processor 151(flexible disk, CR-ROM, DVD-ROM, semiconductor memory, transmission pathsuch as LAN and SAN etc., and so on).

Also, the function of the program may be realized by a hardwareconfiguration (semiconductor integrated circuit such as LSI (large ScaleIntegration) etc.).

In this embodiment, a configuration which contains the maintenanceterminal 150 in the storage subsystem 100 will be described as anexample, but a configuration of the maintenance terminal 150 is notlimited to this. For example, it may be a configuration which isprovided outside the storage subsystem 100. Also, it may be configuredthat maintenance terminal 150 is provided for a plurality of storagesubsystems 100.

The host computer 200 comprises, as a hardware configuration, a controlprocessor 201 which controls entire operations, a control memory 202which stores a program that the control processor 201 executes, and aninterface 203 with an external network.

The host computer 200 comprises an iSCSI driver 211 which generates aniSCSI packet, by storing an SCSI command in a frame, on the controlmemory 202.

In addition, the iSCSI driver 211 is a program whose function isrealized by being executed by the control processor 201. Also, thisprogram may be stored in a recording medium which can be read by thecontrol processor 201 (flexible disk, CR-ROM, DVD-ROM, semiconductormemory, transmission path such as LAN and SAN etc., and so on). Also,the function of the program may be realized by a hardware configuration(semiconductor integrated circuit such as LSI (large Scale Integration)etc.).

The management server 400 comprises, as a hardware configuration, acontrol processor 401 which controls entire operations, a control memory402 which stores a program that the control processor 401 executes, aninterface 403 with an external network, an I/F 404 with an input/outputdevice, an input device 405, and an output device 406.

The control processor 401 realizes each function of a QoS conditiondesignating unit 411, a failure information displaying unit 412, animproper communication source analyzing unit 413, a router or switchcontrol instructing unit 414, by executing the program stored in thecontrol memory 402.

The failure information displaying unit 412 displays informationindicated by the warning message on the output device 406, when thewarning message is sent from the storage subsystem 100 to the managementserver 400.

The QoS condition designating unit 411 receives information of a networkQoS which is desired to be secured on the IP network when the warningmessage is sent from the storage subsystem 100, from an administratorthrough the input device 405, and sets it up. A setup timing isdetermined by an administrator according to need, after building of asystem is completed. For example, it is right after the building, orsuch a case that an administrator who sees a content of the warningmessage displayed on the output device 406, judges that resetting isnecessary, and so on.

Furthermore, when the warning message is received, in case that thefailure type which shows the permitted iSCSI packet ratio 1223, the QoScondition designating unit 411 accesses to the communication failurejudging threshold table 122, compares a value of a communication ratioin the warning message with contemporary threshold and criteria ofjudgment of a corresponding communication ratio, which are set up in thethreshold storing column 122 b, and judges whether it is necessary toreadjust a network QoS or not.

A concrete example of judgment will be described as follows. Forexample, it is assumed that the router or switch 320 is set up so as tocontrol to secure 70% of all traffic for use in the iSCSI packet, withan error of less than 10%, in a QoS used for an access to the logicalunit 130 of the storage subsystem 100. In this case, in thecommunication failure judging threshold table 122, as shown in FIG. 4,60% or less is set up as threshold and criteria of judgment which judgewhether it exceeded a normal scope of control or not. In case that thepermitted iSCSI packet ratio dropped down to 60% or less, at the time ofthe suchlike setup, i.e., in case that QoS control is not carried out asset up by the router or switch 320, it is judged as failure generationby the traffic measuring and judging unit 117, and thereby, that statusis detected, and it is alerted to the management server 400 through thewarning message reporting unit 157.

Normally, in case of having matched with criteria of judgment which arestored in the threshold storing column 122 b of the communicationfailure judging threshold table 122, a warning message is issued.Therefore, readjustment is required. However, there may be such a casethat the thresholds and criteria of judgment of the communicationfailure judging threshold table 122 have been changed from a value etc.at the time when the warning message is generated. On this account,judgment is carried out once in the Qos condition designating unit 411.

And, in case that a result of the judgment which requires readjustment,i.e., it matches with the criteria of judgment which are set up in thecommunication failure judging threshold table 122, a control instructionfor adjusting a QoS is issued to the router or switch controlinstructing unit 414 which will be described later.

Here, the control instruction is, for example, to changes aconfiguration of the router or switch for a throughput of the permittediSCSI packet to come close to a QoS to be targeted. For example, it isto change a parameter value to lengthen queuing wait time in the routeror switch.

The improper communication source analyzing unit 413 accesses to thetraffic log 158 recorded in the storage area 153 of the maintenanceterminal, based on information at the failure time in the warningmessage, when the warning message is sent from the storage subsystem 100to the management server 400, and analyzes a source of impropercommunication considered as such a communication attack that a largeamount of the non-iSCSI packets are transmitted.

A concrete example of analysis will be hereinafter described. Forexample, it is assumed that the above-described traffic measuring andjudging unit 117 measures traffic of one second from 10:00:01 to10:00:02, Jul. 15, 2003 as unit of time, based on a group of the trafficlogs 158 shown in FIG. 5, and judges that failure is generated, since itexceeds a threshold. Here, in case of the traffic log shown in FIG. 5,during a period from 10:00:01 to 10:00:02, Jul. 15, 2003, a large amountof the non-iSCSI packets are arrived from the same source.

In this case, in the warning message, as the failure time, 10:00:01,Jul. 15, 2003 is stored. The improper communication source analyzingunit 413 searches the traffic log 158 corresponding to the failure timein this warning message.

Out of that, the non-iSCSI packet is searched, and with respect to eachsource of transmission, traffic is obtained. And, address information1583 of a source of transmission is searched, which exceededpredetermined traffic, and so on.

A control instruction which instructs to cut off communication from asource of the improper communication is issued to the router or switchcontrol instructing unit 414 which will be described later.

The router or switch control instructing unit 414, when a warningmessage is sent from the storage subsystem 100 to the management server400, in accordance with a control instruction issued from the QoScondition designating unit 411 and the improper communication sourceanalyzing unit 413, controls the router or switch 300, cuts off a packetfrom a source of the improper communication, and secures a QoS of apacket of a normal access.

In addition, a program which realizes these functions may be stored in arecording medium which can be read by the control processor 401(flexible disk, CR-ROM, DVD-ROM, semiconductor memory, transmission pathsuch as LAN and SAN etc., and so on).

Also, the function of the program may be realized by a hardwareconfiguration (semiconductor integrated circuit such as LSI (large ScaleIntegration) etc.).

Next, an outline of a process flow in case that the storage subsystem100 received a packet, in the storage system of this embodiment havingthe above-described functions, will be described. FIG. 6 is aconfiguration view which described a representative element in order toillustrate an outline of a process, out of elements which configure thesystem of this embodiment.

Here, in this figure, packets sent in directions of arrows 001-003 arereferred to as packet 001, packet 002, and packet 003, respectively.These are packets sent from the IP network 300 to the storage subsystem100 as the iSCSI target. Out of these, the packet 001 is assumed to bethe permitted iSCSI packet, and the packet 002 is assumed to be theunpermitted iSCSI packet, and the packet 003 is assumed to be thenon-iSCSI packet sent from an information equipment whose source isunclear, to the storage subsystem 100.

When the storage interface 110 on the storage subsystem 100 receives thepackets 001, 002, and 003, it sorts out the received packets, by the IPlevel filter unit 115. Here, the packet 001 and the packet 002 arejudged to be the iSCSI packet, and are sent out to the LU level filterunit 116. On the other hand, the packet 003 is to be discarded, and issent out to the communication information and failure alerting unit 118through the traffic measuring and judging unit 117, in accordance withan arrow 004. In the traffic measuring and judging unit 117, traffic ofthe packet 003 per unit of time is measured, and a necessarycommunication ratio is calculated, and generation of the communicationfailure is monitored, with reference to the communication failurejudging threshold table 122.

The packets 001 and 002 as the iSCSI packets sent out from the IP levelfilter unit 115 to the LU level filter unit 116 are judged whether theyare packets which are permitted to access to the logical unit 130 in thestorage subsystem 100, with reference to the LU access permission table121 by the LU level filter unit 116.

And, the LU level filter unit 116 sends out the packet 002 to bediscarded, to the communication information and failure alerting unit118 through the traffic measuring and judging unit 117, in accordancewith an arrow 005. In the traffic measuring and judging unit 117,traffic of the packet 002 per unit of time is measured, and a necessarycommunication ratio is calculated, and generation of the communicationfailure is monitored, with reference to the communication failurejudging threshold table 122.

The LU level filter unit 116 judges that the packet 001 is permitted toaccess to the logical unit 130, and sends it out to the iSCSI off-roadengine 119 through the traffic measuring and judging unit 117 inaccordance with an arrow 006. In the iSCSI off-road engine 119, the SCSIcommand is picked up, the iSCSI command picked up is sent to the logicalunit 130, and an I/O process is carried out.

In addition, in the traffic measuring and judging unit 117, traffic ofthe packet 001 per unit of time is measured, and a necessarycommunication ratio is calculated, and generation of the communicationfailure is monitored, with reference to the communication failurejudging threshold table 122.

The communication information and failure alerting unit 118 sendscommunication information of the packets 002 and 003 to thecommunication information recording unit 156 of the maintenance terminal150 in the storage subsystem 100, in accordance with an arrow 007 ofFIG. 6. After that, the communication information recording unit 156records the communication information of the packets 002 and 003 as thetraffic log 158.

Also, the traffic measuring and judging unit 117 judges whether acommunication failure is generated or not, by utilizing thecommunication failure judging threshold table 122.

In case that it is judged in the judgment that a communication failureis generated, in accordance with an arrow 008 of FIG. 6, through thecommunication information and failure alerting unit 118, information istransmitted to the warning message reporting unit 157 in the maintenanceterminal 150. And in accordance with an arrow 009 of FIG. 6, the warningmessage reporting unit 157 which received it sends out a warningmessage, and thereby, that instance is reported to the management server400.

The management server 400 which received the warning message presentsinformation to an administrator by displaying warning messages whichcorrespond to respective the communication failures. Also, anappropriate performance decrement preventing process in accordance withthe warning message is carried out.

Hereinafter, a flow of a process which transmits a warning message tothe management server 400, and a performance decrement preventingprocess that the management server 400 carries out in case that itreceived a warning message will be described.

FIG. 7 shows a process flow in the storage system of this embodiment, incase that an improper packet (unpermitted iSCSI packet, non-iSCSIpacket) is received.

First, the traffic measuring and judging unit 117 measures traffic perunit of time (e.g., 1 second), with respect to a packet judged to bediscarded (not sent to the logical unit 130) through the IP level filterunit 115 and/or the LU level filter unit 116, and all packets receivedby the storage interface 110, and with respect to each unit of timemeasured, calculates a predetermined communication ratio (step 0100).

Next, the traffic measuring and judging unit 117 refers to thecommunication failure judging threshold table 122, based on thecalculated communication ratio, and judges whether it corresponds to thecriteria of failure judgment or not (step 0110).

In case that there is no item corresponding to the communication failurejudging threshold table 122 in the step 0110 (in case of No), a routinereturn to the step 0100, and a process is started again.

On the other hand, in case that there is an item corresponding to thecommunication failure judging threshold table 122 in the step 0110 (incase of Yes), the traffic measuring and judging unit 117 alerts a typeof failure (unpermitted packet ratio, or non-iSCSi packet ratio) etc.,to the warning message reporting unit 157, through the failure alertingunit 118 (step 0120).

The warning message reporting unit 157 which received the alertgenerates a warning message in accordance with the type of failure, andalerts it to the management server 400 as failure information (step0130).

The management server 400 which received the warning message makes thefailure information displaying unit 412 to display a content of thefailure message on the output device 406, and presents it to anadministrator (step 0140). An administrator confirms the content ofdisplay, and can figure out a current status of communication of thestorage subsystem 100. For example, the administrator can carry out aprocess such as resetting of a QoS, and so on.

As described above, in case of having received the warning message, themanagement server 400 draws an attention of an administrator on it bydisplaying its content to the output device 406, and can not only accepta response of an administrator, but also carry out a performancedecrement preventing process of the storage system, in accordance with acontent of the received warning message, by itself.

Next, in the above-described step 0130, a performance decrementpreventing process that the management server 400 carries out, in casethat the received warning message means that the non-iSCSI packet ratioexceeds a threshold, or, in case that it means that the unpermittediSCSI packet ratio exceeds the threshold, i.e., in case that accesses ofimproper packets are increased, will be described. Here, the performancedecrement preventing process that the management server 400 carries outis to cut off a packet which causes I/O performance decrement of thestorage subsystem.

In addition, in this embodiment, a case that the non-iSCSI packet ratioexceeded a threshold is an example. A process in the management server400, which ascertains a source of improper communication by analyzing acontent of the traffic log 158, which controls an IP network relaydevice such as the router and switch 320 etc. disposed on the IP network300 as a transmission path to the storage subsystem 100, and which cutsoff communication from a source of the improper communication will bedescribed.

FIG. 8 shows a flow of a process which is carried out in the managementserver 400, in case that improper accesses are increased.

First, the management server 400 receives from the maintenance terminal150, such a warning message that a type of failure indicates that thenon-iSCSI packet ratio exceeded a threshold (step 0200).

The management server 400 which received the warning message, makes thefailure information displaying unit 412 to appear a display which iscorresponding to the warning message received in the step 0200 on theoutput device 406, and makes the improper communication source analyzingunit 413 to obtain the traffic log 158 recorded in the maintenanceterminal 150 (step 0210).

The improper communication source analyzing unit 413 analyzes thecorresponding traffic log, by using information of the obtained trafficlog 158, and searches address information etc. of a source oftransmitting an improper packet (step 0220).

The improper communication source analyzing unit 413, in order to carryout a process which cuts off all of packets from the correspondingaddress 1583 (e.g., in case of an example of FIG. 5, 10.X.X.X), issues acontrol instruction of the router or switch meaning that communicationfrom the corresponding address 1583 is cut off, to the router or switchcontrol instructing unit 414 (step 0230).

The router or switch control instructing unit 414, in accordance withthe control instruction issued in the step 0230, controls the router orswitch 320 to cut off a packet from the corresponding address (step0240).

The storage system of this embodiment can cut off a communication attackwhich targets the storage subsystem 100 for an attack, by carrying outthe process as described above.

Next, a process in case that the received warning message means that aratio of traffic of the iSCSI packet which accesses to the logical unit130 normally is reduced, in the above-described step 0130, i.e., in casethat the permitted iSCSI packet ratio become a threshold or below, willbe hereinafter described.

Here, the performance decrement preventing process that the managementserver 400 carries out is to secure a necessary QoS in the permittediSCSI packet, based on an instruction regarding QoS control of an IPnetwork designated in advance by an administrator. The management server400 controls an IP network relay equipment such as the router or switch320 etc. disposed on the IP network 300 as a transmission path to thestorage subsystem 100, and secures a necessary QoS to access from thehost computer 200 which has a right to access to the storage subsystem100.

FIG. 9 shows a flow of a process which is carried out in the managementserver 400, in case that the permitted iSCSI packet ratio becomes athreshold or below.

First, the management server 400 receives a warning message whichindicates that the permitted iSCSI packet ratio becomes a threshold orbelow, from the maintenance terminal 150 (step 0300).

The management server 400 which received the warning message makes thefailure information displaying unit 412 to appear a display whichcorresponded to a content of the received message on the display device406, and alerts information included in the warning message to the QoScontrol condition designating unit 411 (step 0310).

The QoS control condition designating unit 411 compares a value storedin the threshold storing column 122 b of the communication failurejudging threshold table 122 with a value of a communication ratioreceived by the warning message, and judges whether setting of QoScontrol is proper or not, i.e., whether readjustment is necessary (step0320).

In case that it is judged in the judgment of the step 0320 thatreadjustment of QoS control is necessary (in case of Yes), aninstruction, which is necessary for carrying out the given QoS control,is sent to the router or switch control instructing unit 414 (step0330).

On the other hand, in case that it is judged that the readjustment isnot necessary (in case of No), the process is concluded.

The router or switch control instructing unit 414 which received theinstruction in the step 0330 readjusts setting of QoS control as acondition designated by a command etc. of a router (step 0340), andconcludes the process.

It is possible for the storage system of this embodiment to dynamicallyreadjust setting of QoS to the storage subsystem 100, in accordance witha status of communication, by carrying out the process as describedabove.

In this manner, according to this embodiment, the storage system cansort a packet which is accessible to the logical unit 130 (normalpacket) and a packet other than it (improper packet), in the storagesubsystem 100.

In this embodiment, this sorting is realized by two filters of an IPlevel filter (first filter) which searches only an iSCSI packet, and anLU level filter (second filter) which searches only a packet permittedto access to a storage subsystem from among the iSCSI packets.Furthermore, judgment of accessibility in the LU level filter is carriedout at the time when a session is built up, i.e., by only an iSCSIpacket transmitted at the time of iSCSI log-in. And, after a session isbuilt up by the above-stated packet, accessibility of individual packetsis not judged. On this account, accessibility can be judged effectively.

Also, since a traffic log of an improper packet is recorded, by usingthe suchlike information, it is possible to take a procedure to cut offfuture receptions.

Furthermore, since traffic is monitored with respect to each sortedtype, with regard to all packets, by using the suchlike information, itis also possible to secure an appropriate QoS for communication of anormal packet.

1. A storage subsystem which is connected to a host computer through acommunication line, comprising an interface which is used for connectingto said communication line, wherein, said interface comprises a firstfilter which judges, on the occasion of having received communicationpackets from said communication line, whether there is a communicationpacket with a predetermined format for use in an access to said storagesubsystem, among the communication packets; wherein said interfacefurther comprises a traffic measuring and judging unit which measurestraffic of all communication packets received in the interface, andtraffic of a communication packet judged not to be the packet with saidformat in said first filter, respectively, and by using the bothtraffics, judges whether a communication failure is generated or not,and a communication failure alerting unit which alerts a managementserver connected to said storage subsystem and comprises a function ofdisplaying information alerted, in case that it is judged that acommunication failure is generated in said traffic measuring and judgingunit.
 2. The storage subsystem according to claim 1, wherein, saidinterface further comprises a second filter which receives thecommunication packet judged to be for said access in said first filter,and judges whether it is a communication packet permitted to access to astorage area in said storage subsystem and transmitted from said hostcomputer or not.
 3. The storage subsystem according to claim 2, wherein,in case that said host computer is permitted to access to said storagesubsystem, said interface further comprises an access permission tablehaving information which uniquely specifies the host computer, andinformation which specifies a storage area in said storage subsystem towhich the host computer is permitted to access, and said second filterjudges whether a communication packet judged to be for use in saidaccess is transmitted from the host computer permitted to access or not,in accordance with information stored in said access permission table.4. (canceled)
 5. The storage subsystem according to claim 1, wherein,said traffic measuring and judging unit further measures traffic of acommunication packet judged not to be the communication packettransmitted from said host computer which is permitted to access in saidsecond filter, and by using the traffic and said traffic of allcommunication packets, further judges whether a communication failure isgenerated or not.
 6. The storage subsystem according to claim 5,wherein, said interface further comprises a traffic log recording unitwhich records, as a traffic log, communication information of acommunication packet judged not to be the communication packet with saidformat in said first filter and a communication packet judged not to bethe communication packet transmitted from said host computer permittedto access in the second filter.
 7. A management server connected to thestorage subsystem according to claim 6, wherein, an impropercommunication source analyzing unit which refers to said traffic log, incase that it is alerted from a communication failure alerting unit ofsaid storage subsystem that a communication failure is generated, andsearches a source of said communication packet causes the communicationfailure.
 8. The management server according to claim 7, furthercomprising, a relay device control unit which controls, based oninformation of a source searched in said improper communication sourceanalyzing unit, a relay device which relays communication to saidstorage subsystem disposed on said communication line so as to cut offcommunication from the source.
 9. A computer readable storage mediumincluding a program for a computer mounted on a storage subsystemconnected to a host computer through a communication line, the programcomprising: code for connecting to said communication line; code forjudging, on the occasion of having received communication packets fromsaid communication line through connecting to said communication line,whether there is a communication packet with a predetermined format foruse in an access to said storage subsystem, among the communicationpackets; code for receiving the communication packet judged to be forsaid access in said judging, and judges whether it is a communicationpacket permitted to access to a storage area in said storage subsystemand transmitted from said host computer or not; code for measuringtraffic of all communication packets received in connecting to saidcommunication line, and traffic of a communication packet judged not tobe the packet with said format in said first filter, respectively, andby using the both traffics, judging whether a communication failure isgenerated or not; and code for alerting a management server connected tosaid storage subsystem and displaying information alerted, in case thatit is judged that a communication failure is generated in measuring saidtraffic of all communications packets received in connecting to saidcommunication line.
 10. (canceled)
 11. (canceled)
 12. A computerreadable storage medium including a program for a computer mounted on amanagement server which is connected to a storage subsystem, the programcomprising: code for referring to said traffic log, in case that it isalerted from a communication failure alerting unit of said storagesubsystem that a communication failure is generated, and searching asource of said communication packet which causes the communicationfailure.
 13. A computer readable storage medium including a program fora computer mounted on a management server which is connected to astorage subsystem, the program comprising: code for referring to saidtraffic log, in case that it was alerted from a communication failurealerting unit of said storage subsystem that a communication failure isgenerated, and searching a source of said communication packet whichcauses the communication failure, and code for controlling, based oninformation of a source searched in said searching, a relay device whichrelays communication to said storage subsystem disposed on saidcommunication line for receiving a communication packet so as to cut offcommunication from the source.
 14. (canceled)
 15. A storage system inwhich a storage subsystem, a host computer, and a management server areconnected by a communication line, wherein, said storage subsystemcomprises an interface which connects to said communication line, andsaid interface comprises, a first filter which judges, on the occasionof having received communication packets from said communication line,whether there is a communication packet with a predetermined format foruse in an access to said storage subsystem, among the communicationpackets, a second filter which receives the communication packet judgedto be for said access in said first filter, and judges whether it is acommunication packet permitted to access to a storage area in saidstorage subsystem and transmitted from said host computer or not, atraffic measuring and judging unit which measures traffic of allcommunication packets received in the interface, and traffic of acommunication packet judged not to be the packet with said format,respectively, and by using the both traffics, judges whether acommunication failure is generated or not, a communication failurealerting unit which alerts said management server, in case that it isjudged that a communication failure is generated in said trafficmeasuring and judging unit, and a traffic log recording unit whichrecords, as a traffic log, communication information of a communicationpacket judged not to be the communication packet with said format insaid first filter and a communication packet judged not to be thecommunication packet transmitted from said host computer permitted toaccess in the second filter, and said management server comprises adisplay device which displays the alert received from said communicationfailure alerting unit, an improper communication source analyzing unitwhich refers to said traffic log, in case that it is alerted from acommunication failure alerting unit of said storage subsystem that acommunication failure is generated, and searches a source of saidcommunication packet which causes the communication failure, and a relaydevice control unit which controls, based on information of a sourcesearched in said improper communication source analyzing unit, a relaydevice which relays communication to said storage subsystem disposed onsaid communication line so as to cut off communication from the source.16. The storage system according to claim 15, wherein, in case that saidhost computer is permitted to access to said storage subsystem, saidinterface further comprises an access permission table havinginformation which uniquely specifies the host computer, and informationwhich specifies a storage area in said storage subsystem to which thehost computer is permitted to access, and said second filter judgeswhether a communication packet judged to be for use in said access, istransmitted from the host computer permitted to access or not, inaccordance with information stored in said access permission table. 17.The storage system according to claim 15, wherein, said trafficmeasuring and judging unit further measures traffic of a communicationpacket judged not to be the communication packet transmitted from saidhost computer permitted to access in said second filter, and by usingthe traffic and said traffic of all communication packets, furtherjudges whether a communication failure is generated or not.
 18. Thestorage system according to claim 17, wherein, said traffic measuringand judging unit further measures traffic of a communication packetjudged to be the communication packet transmitted from said hostcomputer permitted to access in said second filter, and by using thetraffic and said traffic of all communication packets, judges whether avalue of a ratio of traffic of a communication packet transmitted fromsaid host computer permitted to access to traffic of all communicationpackets is less than a predetermined value or not, and saidcommunication failure alerting unit alerts said management server of thealert which indicates that second communication failure is generated, incase that it is judged that the value of the ratio is less than thepredetermined value in the traffic measuring and judging unit, and saidmanagement server further comprises a QoS condition designating unitwhich, in case of having received the alert which indicates that thesecond communication failure is generated from said communicationfailure alerting unit, readjusts a network QoS between said storagesubsystem and said host computer, which has been set up in advance by anadministrator.
 19. A communication control method in a storage system inwhich a storage subsystem, a host computer, and a management server areconnected by a communication line, comprising: judging, whencommunication packets from said communication line were received in saidstorage subsystem, whether there is a communication packet with apredetermined format for use in an access to said storage subsystem,among the communication packets, measuring traffic of all communicationpackets received by said storage subsystem, and traffic of acommunication packet judged not to be the packet with said predeterminedformat, respectively, and recording a traffic log of a communicationpacket judged not to be the communication packet with said format,judging, by using said measured both traffics, whether a communicationfailure is generated or not, and alerting said management server, incase that it is judged that a communication failure is generated,referring to said traffic log, in case that the alert that thecommunication failure is generated is received in said management serverfrom said storage subsystem, and searching information of a source ofsaid communication packet which causes said communication failure, andcontrolling, based on information of the searched source, a relay devicewhich relays communication to said storage subsystem disposed on saidcommunication line so as to cut off communication from the source.
 20. Astorage system having a storage subsystem connected to a host computerthrough a communication line, and a management server connected to saidstorage subsystem, wherein, said storage subsystem comprises aninterface which connects to said communication line and a maintenanceterminal which maintains said storage subsystem, and said interfacecomprises a first filter which judges, on the occasion of havingreceived communication packets from said communication line, whetherthere is a communication packet with a predetermined format for use inan access to said storage subsystem, among the communication packets, asecond filter which receives the communication packet judged to be forsaid access in said first filter, and judges whether it is acommunication packet permitted to access to a storage area in saidstorage subsystem and transmitted from said host computer or not, atraffic measuring and judging unit which measures traffic of allcommunication packets received in the interface, and traffic of acommunication packet judged not to be said communication packetpermitted to access in said second filter, respectively, and calculatesa value of a ratio of the both traffics (communication ratio), and byusing the both traffics, judges whether a communication failure isgenerated or not, and a communication failure alerting unit which alertssaid maintenance terminal, in case that it is judged that acommunication failure is generated in said traffic measuring and judgingunit, of that failure is generated and said communication ratio, andsaid maintenance terminal comprises a warning message reporting unitwhich generates, in case that the alert of that a communication failureis generated and said communication ratio is received from saidcommunication information and failure alerting unit, a warning messagein accordance with said alert, and outputs it to said management server,and said management server comprises: an output device, a failureinformation displaying unit which comprises said output device displayedthe warning message and said communication ratio received from saidwarning message reporting unit, and a QoS condition designating unitwhich judges whether said communication ratio is within a predeterminedpermissible zone, and in case that it is judged to be outside thepermissible zone, adjusts a network QoS of a relay device which relayscommunication to said storage subsystem disposed on said communicationline.
 21. The storage subsystem according to claim 1, wherein a headerof the communication packet with the predetermined format includesinformation which shows that an iSCSI command is encapsulated in thecommunication packet.
 22. The storage system according to claim 18,wherein a header of the communication packet with the predeterminedformat includes information which shows that an iSCSI command isencapsulated in the communication packet.